一、認證
認證(Authentication):驗證某個實體或者用戶是否有權限訪問受保護資源。
MQ提供兩種插件用於權限認證:
(一)、Simple authentication plug-in:直接把相關的權限認證信息配置到XML文件中。
配置 conf/activemq.xml 的 broke元素添加插件:
<plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/> <authenticationUser username="publisher" password="password" groups="publishers,consumers"/> <authenticationUser username="consumer" password="password" groups="consumers"/> <authenticationUser username="guest" password="password" groups="guests"/> </users> </simpleAuthenticationPlugin> </plugins>
代碼中的認證方式兩種:
1、在創建Connection的時候認證
//用戶認證 Connection conn = connFactory.createConnection("admin","password");
2、也可以在創建ConnectionFactory工廠的時候認證
ConnectionFactory connFactory = new ActiveMQConnectionFactory("admin","password",url);
(二)、JAAS authentication plug-in:實現了JAAS API,提供了一個更強大的和可定制的權限方案。
配置方式:
1、在conf目錄中創建 login.config 文件 用戶 配置 PropertiesLoginModule:
activemq-domain { org.apache.activemq.jaas.PropertiesLoginModule required debug=true org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties"; };
2、在conf目錄中創建users.properties 文件用戶配置用戶:
# 創建四個用戶 admin=password publisher=password consumer=password guest=password
3、在conf目錄中創建groups.properties 文件用戶配置用戶組:
#創建四個組並分配用戶
admins=admin
publishers=admin,publisher
consumers=admin,publisher,consumer
guests=guest
4、將該配置插入到activemq.xml中:
<!-- JAAS authentication plug-in --> <plugins> <jaasAuthenticationPlugin configuration="activemq-domain" /> </plugins>
5、配置MQ的啟動參數:
使用dos命令啟動:
D:\tools\apache-activemq-5.6.0-bin\apache-activemq-5.6.0\bin\win64>activemq.bat -Djava.security.auth.login.config=D:/tools/apache-activemq-5.6.0-bin/apache-activemq-5.6.0/conf/login.config
6、在代碼中的認證方式與Simple authentication plug-in 相同。
二、授權
基於認證的基礎上,可以根據實際用戶角色來授予相應的權限,如有些用戶有隊列寫的權限,有些則只能讀等等。
兩種授權方式
(一)、目的地級別授權
JMS目的地的三種操作級別:
Read :讀取目的地消息權限
Write:發送消息到目的地權限
Admin:管理目的地的權限
配置方式 conf/activemq.xml :
<plugins> <jaasAuthenticationPlugin configuration="activemq-domain" /> <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry topic="topic.ch09" read="consumers" write="publishers" admin="publishers" /> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin> </plugins>
(二)、消息級別授權
授權特定的消息。
開發步驟:
1、實現消息授權插件,需要實現MessageAuthorizationPolicy接口
public class AuthorizationPolicy implements MessageAuthorizationPolicy { private static final Log LOG = LogFactory. getLog(AuthorizationPolicy.class); public boolean isAllowedToConsume(ConnectionContext context, Message message) { LOG.info(context.getConnection().getRemoteAddress()); String remoteAddress = context.getConnection().getRemoteAddress(); if (remoteAddress.startsWith("/127.0.0.1")) { LOG.info("Permission to consume granted"); return true; } else { LOG.info("Permission to consume denied"); return false; } } }
2、把插件實現類打成JAR包,放入到activeMq 的 lib目錄中
3、在activemq.xml中設置<messageAuthorizationPolicy>元素
<messageAuthorizationPolicy> <bean class="org.apache.activemq.book.ch6.AuthorizationPolicy" xmlns="http://www.springframework.org/schema/beans" /> </messageAuthorizationPolicy>
三、自定義安全插件
插件邏輯需要實現BrokerFilter類,並且通過BrokerPlugin實現類來安裝,用於攔截,Broker級別的操作:
- 接入消費者和生產者
- 提交事務
- 添加和刪除broker的連接
demo:基於IP地址,限制Broker連接。
package ch02.ptp; import java.util.List; import org.apache.activemq.broker.Broker; import org.apache.activemq.broker.BrokerFilter; import org.apache.activemq.broker.ConnectionContext; import org.apache.activemq.command.ConnectionInfo; public class IPAuthenticationBroker extends BrokerFilter { List<String> allowedIPAddresses; public IPAuthenticationBroker(Broker next, List<String>allowedIPAddresses) { super(next); this.allowedIPAddresses = allowedIPAddresses; } public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception { String remoteAddress = context.getConnection().getRemoteAddress(); if (!allowedIPAddresses.contains(remoteAddress)) { throw new SecurityException("Connecting from IP address " + remoteAddress+ " is not allowed" ); } super.addConnection(context, info); } }
安裝插件:
package ch02.ptp; import java.util.List; import org.apache.activemq.broker.Broker; import org.apache.activemq.broker.BrokerPlugin; public class IPAuthenticationPlugin implements BrokerPlugin { List<String> allowedIPAddresses; public Broker installPlugin(Broker broker) throws Exception { return new IPAuthenticationBroker(broker, allowedIPAddresses); } public List<String> getAllowedIPAddresses() { return allowedIPAddresses; } public void setAllowedIPAddresses(List<String> allowedIPAddresses) { this.allowedIPAddresses = allowedIPAddresses; } }
ps:將這連個類打成jar包放到activemq的lib目錄下
配置自定義插件:
<plugins> <bean xmlns="http://www.springframework.org/schema/beans" id="ipAuthenticationPlugin" class="org.apache.activemq.book.ch6.IPAuthenticationPlugin"> <property name="allowedIPAddresses"> <list> <value>127.0.0.1</value> </list> </property> </bean> </plugins>